ALM Properties, Inc.
Page printed from: Corporate Counsel
Select 'Print' in your browser menu to print this document.
Hoarders, the Corporate Data Edition
Law Technology News
In 2009, A&E Television Networks began broadcasting a reality-based program, Hoarders. Each week the show examines the case of an individual who suffers from a symptom of obsessive compulsive disorder or obsessive compulsive personality disorder that causes him or her to experience extreme distress at the prospect of discarding specific items, or in some cases, anything at all.
According the show's website: Hoarders not only captures the drama as experts work to help each person get on the road to recovery, but also highlights the individual's inner challenges and triumphs. Although cleaning marks the first step of tackling this disorder, success is not definite. For some individuals, throwing away even the tiniest object is so traumatizing that they are not able to allow the cleaning process to continue, no matter how it may impact their lives.
Extreme examples included episodes chronicling a woman with 76 cats, a man who saved every copy of National Geographic ever printed, and a woman who could not part with a collection of 50,000 dolls. The audience watches in amazement at a person who is seemingly unable to make a rational decision to throw junk away in order to improve his or her life.
Unfortunately, the phenomenon of this condition is not confined to individuals, but wreaks havoc on large organizations as well. Just as this condition carries significant consequences for people, the toll it extracts on corporations is equally destructive, if not readily apparent. There are significant costs associated with the tendency to save nearly everything, regardless of its value.
Indeed, the failure to dispose of anything is itself a decision that all data is of equal value, imposes the same risk on an organization, and is justified by the costs imposed on the organization. Much like hoarders, an organization cannot be as productive in this state, because no one can find, use, or protect what is actually valuable to the organization.
DO THE MATH
A recent article in Science magazine, "The World's Technological Capacity to Store, Communicate, and Compute Information," stated that collectively we have accumulated 295 exabytes of information. While legal and corporate IT departments are finally getting a grip on managing terabytes and moving on to petabytes, exabytes are lurking and ready to be thrust into reality. According to the "Gartner IT Key Metrics Data 2012" report, the total cost of storing and managing a petabyte of information is nearly $5 million per year. Loosely, this translates to about $5,000 per terabyte. However, this is only part of the story. If we assume an organization that stores 10 petabytes of data might have about 1 petabyte of email throughout its IT infrastructure including production email, PSTs, or Lotus Notes files (NSFs), or other loose email files on individual hard drives or file shares and an email archive. (We are purposely avoiding the issue of backup tapes.)
Further assume that this size of organization might pay upwards of $20 million a year on electronic data discovery. From this figure, it is possible to back into the EDD "tax" that must be assessed to a given terabyte of data from a target-rich environment such as email. The RAND Institute for Civil Justice issued a study report, "Where the Money Goes: Understanding Litigant Expenditures for Producing Electronic Discovery," this year that showed a median cost for collection of $910 per gigabyte, $2,931 per gigabyte for processing, and $13,636 for reviewing a gigabyte of data.
Plugging these numbers into the $20 million spent for a corporation above, we arrive at a "probability of review" for a given message of about .1 percent. Therefore, for every terabyte of key data, we see an EDD "tax" of 1 gigabyte or about $15,000 when the costs of collection, processing, and review are tallied. If we add the $5,000 in hard costs from the IT figure above, we arrive at about $20,000 per year.
However, for the purposes of this analysis let's set aside the EDD costs. Finance departments often struggle to properly account for projected costs that are probabilistic, discounting these costs to the "best case scenario." Considering solely the IT costs of $5,000 per terabyte, some rather ominous mathematical calculations begin to take shape.
According to the Compliance Governance and Oversight Council, the amount of data that an organization could defensibly dispose of is staggering. The Council's postulate is that information must be retained for three reasons: 1) it is subject to legal hold, 2) it is subject to a regulatory requirement, or 3) it is valuable for business purposes. According to CGOC, about 5 percent of information is subject to regulatory obligations, about 25 percent of corporate data is of business value, and only about 2 percent is subject to legal hold.
Assuming "safe margins" in that it is somewhat difficult to separate wheat from chaff even with the highest level of will and technology let's round that up to 50 percent. If 50 percent of corporate data is of no value and carries no obligation, it represents tremendous opportunity for savings. In a company with 10 petabytes of data, 5,000terabytes are candidates for disposal. When the cost per terabyte is juxtaposed against the percentage of data that must be retained, stark conclusions appear.
Even if just 1,000 terabytes (a petabyte) could be disposed of, the unnecessary cost (or waste) is $2.5 million per year, it is important to consider what might have been sacrificed to maintain this unnecessary data. Many corporations have experienced staff reductions in the last few years. If an office worker costs a company an average of $120,000 per year ($100,000 salary and $20,000 in overhead for benefits, computer, etc.), an unfortunate equation emerges. For every worker laid off, the hypothetical corporation chose to store 24 terabytes of information with no value or obligation associated with it.
Many might think that surely there must be more complex risk elements that make this analysis too skewed to land such a cataclysmic blow. In some cases, this may well be true. For example, in highly regulated industries and businesses, there may be stringent legal requirements to retain certain types of data for specific time periods and in particular formats (e.g., SEC 17a-4 for broker dealers in the financial services industry). That being said, the analysis changes only as a matter of degree and not of direction.
The common law is similarly stark, yet perhaps counterintuitively in favor of proper disposal: "Document retention policies, which are created in part to keep certain information from getting into the hands of others, including the Government, are common in business. It is, of course, not wrongful for a manager to instruct his employees to comply with a valid document retention policy under normal circumstances." Arthur Andersen LLP v. United States, 544 U.S. 696, 704 (2005).
In addition to the United States Supreme Court's dicta in Arthur Andersen, the issue has arisen several times in the lower courts with the same favorable treatment. While this law is well established, emerging law also applies similar pressure to this sensitive topic. It is often incorrectly said that "privacy" is something that must only be considered across the pond, and that corporate email and other information sources are considered corporate property in the U.S. and the ability to do almost anything the organization wishes with email is plenary.
In reality, the only action that organizations tend to take on data is the power to retain it or "hoard" it forever. This flies in the face of European and other states' privacy directives that typically contain a "purpose of use" limitation. Translated, this means that an organization may keep information that may be private or confidential only for the time period that matches its purpose of use. For example, a credit application or human resources-related email may be retained only for the time period that the corporation needs it, and then it must be disposed of, according to the law in many European states.
The truth of the matter is that the U.S. may be leaning, albeit slowly, towards a European privacy perspective. For example, the Health Insurance Portability and Accountability Act of 1996, the Gramm-Leach-Bliley Act, and scores of other regulations carry privacy limitations similar to EU member states. In February 2012, the White House released the controversial "Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy." The White House used familiar language: "Companies should securely dispose of or de-identify personal data once they no longer need it, unless they are under a legal obligation to do otherwise."
Hoarding of information indefinitely causes a direct or indirect conflict with these principles. Indirectly, it can be said that the risk of a breach or violation can be reduced by disposing of information once it is no longer needed.
If the math is so clear, and the law is so clear, why is this problem not solved? In Hoarders, the social workers and law enforcement personnel have a distinct advantage: they have but one person to convince. Large organizations have many constituencies that must work in concert to effect change. When the legal department, the records and information management or compliance teams, and the privacy and security units join forces, protocols can be established or updated.
Often, the CIO and/or COO, becomes a chief sponsor articulating a sound business plan for an investment project aimed at transforming information economics. Put bluntly, there is no stakeholder in the corporation who will not benefit from defensible disposal. It is time to dispose of unnecessary data.
Attorney Jake Frazier is the Information Lifecycle Governance Product Strategy Manager at IBM and executive director of the Compliance Governance & Oversight Council. Anthony Diana is a partner at Mayer Brown and serves on the CGOC faculty. Thomas Strong, an associate at Mayer Brown, contributed to the article. Email: email@example.com, firstname.lastname@example.org, and email@example.com.
This article originally appeared in Law Technology News.